Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Spyware -- Winfixer, Virtumonde ?! [RESOLVED]

merecomputeruser

Posted 10 October 2005 - 10:21 AM

I'm having trouble with Winfixer and Virtumonde. I downloaded AdAware before even coming here, but if I run it 3 times in a row, something is always there.

My computer freezes at least twice a day. (Internet only freezes, I can still work in Excel.)

I tried to do everything your list instructed me to do before posting here. However, my computer won't let me download CWShredder. I get a pop-up with "not a valid Win32 application." ?!

I downloaded Spybot and ran it, but couldn't figure out the sister download (from the "Geeks are marvelous" or whatever website) with that? It looked like it wanted me to download Spybot again?

I wanted to download the SP1a from Windows, but it takes me to "Windows Update" and I'm already supposed to be receiving regular upsdates from Windows anyway, so shouldn't I already be updated? So I didn't download anything (nothing was labeled SP1a, and I don't want to download SP2 if I have spyware and it might hurt my computer!!) But I must have done something, because when I rebooted, I got this pop-up "Runner Error" Runner file name (Updates from HP.exe) lacks a '-' (the app id separator) ?!!

ewido log as requested: -- (was there another log I needed, too? I don't know how to use notepad -- I pasted this in Word.)
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.13 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\vtutt.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ttutv.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

merecomputeruser

Posted 14 October 2005 - 07:55 AM

merecomputeruser

Member

Topic Starter

Member

11 posts

OK! So far so good!One snag -- when HijackThis opened, it was blank. So I hit scan, I think, and it brought up the report. The first item I was supposed to find was not there -- The O2 - BHO: MSEvents Object . . . etc. etc. I found the 2nd item and hit Fix Checked and the rest was well.

I ran Activescan, and it was all 0's. It didn't detect anything. (I hit a button, and the report vanished, and I can't get back to it, it seems.) SO it was clean, but I can't get back to the report.

tampabelle

Posted 16 October 2005 - 04:42 PM

Your logs look fine. We just need to fine tune some settings on your PC.

Delete the following programs and the associated folders, which you downloaded during the cleaning up process -

Vundofix.exeVundofix folder

We can disable Ewido from running at startup. Conflicts can arise between multiple anti-virus programs and can severely hamper the performance of the PC.

Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - ewido security suite control. Right click on it and then click on properties. In the Startup Type choose the option Disable. Similarly disable the service - ewido security suite guard. Close the window.

You can use Ewido whenever you want to scan your PC by manually running it. Please make sure that you get the updates for Ewido before scanning with it each time.

Run Hijack This and click on scan. The following items need to be fixed -

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

This will not delete the programs from your PC. This will only disable the programs from running at Start up and result in a faster PC. You can always run the programs manually by using the respective exe files or the shortcuts.

Posted 16 October 2005 - 06:45 PM

I have one last thing that's bothering me with this computer. Let me know if you can fix this -- my computer never shuts down all the way. If I hit "Turn Off" or "Restart" it will go all the way through to the blue screen with "Windows is Shutting Down" and then just sit there. It appears to have shut down everything (computer is quiet, nothing seems to be running) but it never goes past that screen. I end up having to have to manually turn it off with the on/off button every time. (Which makes me nervous.) Is there any way to fix that?

Click on System Tools ---> Event Viewer ---> System. There are likely to be a few warnings / errors. Most of them would be repeats of earlier ones. Can you cjheck a few of them and let me know which ones are causing the errors. You will have to check each error / warning individually, make a note of the error and type it back for me.

merecomputeruser

Posted 17 October 2005 - 02:10 PM

This Error I found under "System" seems to have happened once or twice a day before we fixed the Vundo malware. Could be when I was rebooting after each time it froze . . . here goes . . .

"Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory." (Source: ftdisk, Event ID: 49)

Also, in "Applications", this Warning seems to follow the same pattern . . .

"Windows saved user YOUR-4F1261A8E5\HP_Owner registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account." (Source: userenv, Event ID: 1517)

tampabelle

Posted 19 October 2005 - 10:44 AM

I would recommend the following steps to keep your PC clean (do the Step 8 after the issue is completely resolved) -

PREVENTIVE MEASURES FOR FUTURE

Operating System1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Internet Browsers4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.

Spyware Protection5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

Spyware Removers6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Regular Maintenance of PC7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.

System Restore Points8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

Click on Start ---> Help and Support.

Under Help and Support Resources, click on System Restore. Click on "create a restore point". Click on Next and follow the instructions to create the system restore point.

Now Click on start ---> Run. Type in - cleanmgr - and hit enter. In the window which opens, it will ask you to choose your default drive (most likely C:\). Click on OK. It will scan your hard disks for cleaning up and may take a couple of minutes. Be patient.

After the scan is complete, click on "More Options" tab. Click on cleanup button in the System Restore section. Click on Yes when you are prompted - Are you sure you want to delete all but the most recent restore point?